Look for systems that share files over NFS

(Intro to String Expressions here)

If this system is configured to share files over NFS, the file /etc/exports will contain one or more lines, one for each share.

Since we want to alert on any share at all, we’ll just look for any character in that file:

/etc/exports Does not contain .

(Note: the “The following pattern:” field contains a single period.)

In this example we’re using the period’s role as “match any single character”.  As soon as someone adds a line to provide an NFS share, /etc/exports will have at least one character, and this rule will provide an alert.  If the file doesn’t exist, or exists but is empty, we won’t get an alert.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts